* [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
@ 2013-08-16 11:03 Dominick Grift
2013-08-21 13:19 ` Christopher J. PeBenito
2013-09-23 18:28 ` Christopher J. PeBenito
0 siblings, 2 replies; 5+ messages in thread
From: Dominick Grift @ 2013-08-16 11:03 UTC (permalink / raw)
To: refpolicy
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index eada65c..568c335 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -74,6 +74,9 @@
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
+type sshd_keytab_t;
+files_type(sshd_keytab_t)
+
##############################
#
# SSH client local policy
@@ -224,6 +227,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
+allow sshd_t sshd_keytab_t:file read_file_perms;
+
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -261,7 +266,8 @@
')
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
+ kerberos_read_keytab(sshd_t)
+ kerberos_use(sshd_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
2013-08-16 11:03 [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) Dominick Grift
@ 2013-08-21 13:19 ` Christopher J. PeBenito
2013-08-21 13:42 ` Dominick Grift
2013-08-26 13:49 ` Daniel J Walsh
2013-09-23 18:28 ` Christopher J. PeBenito
1 sibling, 2 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-08-21 13:19 UTC (permalink / raw)
To: refpolicy
Dan/Miroslav, do you have any comments on the keytab functions? I don't have a kerberos system to look at.
Dominick, from your contrib commit, you're saying that you looked at this because it breaks monolithic? Its too bad the toolchain can't emit file_context files out of semodule_expand, as then we could build all policies as modular, and then if monolithic is requested, simply expand out the modules into policy.2x and file_context files.
On 08/16/2013 07:03 AM, Dominick Grift wrote:
> This keytab functionality should be re-evaluated because it does not
> make sense in its current implementation
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..568c335 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -74,6 +74,9 @@
> typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
> userdom_user_home_content(ssh_home_t)
>
> +type sshd_keytab_t;
> +files_type(sshd_keytab_t)
> +
> ##############################
> #
> # SSH client local policy
> @@ -224,6 +227,8 @@
> allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> allow sshd_t self:key { search link write };
>
> +allow sshd_t sshd_keytab_t:file read_file_perms;
> +
> manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> @@ -261,7 +266,8 @@
> ')
>
> optional_policy(`
> - kerberos_keytab_template(sshd, sshd_t)
> + kerberos_read_keytab(sshd_t)
> + kerberos_use(sshd_t)
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
2013-08-21 13:19 ` Christopher J. PeBenito
@ 2013-08-21 13:42 ` Dominick Grift
2013-08-26 13:49 ` Daniel J Walsh
1 sibling, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-08-21 13:42 UTC (permalink / raw)
To: refpolicy
On Wed, 2013-08-21 at 09:19 -0400, Christopher J. PeBenito wrote:
> Dan/Miroslav, do you have any comments on the keytab functions? I don't have a kerberos system to look at.
>
> Dominick, from your contrib commit, you're saying that you looked at this because it breaks monolithic? Its too bad the toolchain can't emit file_context files out of semodule_expand, as then we could build all policies as modular, and then if monolithic is requested, simply expand out the modules into policy.2x and file_context files.
>
The monolithic issue i raised is due to the type declarations in the
kerberos_keytab_template(), not the file contexts (you will get into
nesting optional policy issues if you declare types in optional policy,
which is hard to diagnose and also just unnecessary)
The file contexts would raise problems in modular policy, so yes that is
another reason to change this to be unconditional (although it was not
my primary reason for this commit)
> On 08/16/2013 07:03 AM, Dominick Grift wrote:
> > This keytab functionality should be re-evaluated because it does not
> > make sense in its current implementation
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> > index eada65c..568c335 100644
> > --- a/policy/modules/services/ssh.te
> > +++ b/policy/modules/services/ssh.te
> > @@ -74,6 +74,9 @@
> > typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
> > userdom_user_home_content(ssh_home_t)
> >
> > +type sshd_keytab_t;
> > +files_type(sshd_keytab_t)
> > +
> > ##############################
> > #
> > # SSH client local policy
> > @@ -224,6 +227,8 @@
> > allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> > allow sshd_t self:key { search link write };
> >
> > +allow sshd_t sshd_keytab_t:file read_file_perms;
> > +
> > manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> > manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> > manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> > @@ -261,7 +266,8 @@
> > ')
> >
> > optional_policy(`
> > - kerberos_keytab_template(sshd, sshd_t)
> > + kerberos_read_keytab(sshd_t)
> > + kerberos_use(sshd_t)
> > ')
> >
> > optional_policy(`
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
2013-08-21 13:19 ` Christopher J. PeBenito
2013-08-21 13:42 ` Dominick Grift
@ 2013-08-26 13:49 ` Daniel J Walsh
1 sibling, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2013-08-26 13:49 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/21/2013 09:19 AM, Christopher J. PeBenito wrote:
> Dan/Miroslav, do you have any comments on the keytab functions? I don't
> have a kerberos system to look at.
>
> Dominick, from your contrib commit, you're saying that you looked at this
> because it breaks monolithic? Its too bad the toolchain can't emit
> file_context files out of semodule_expand, as then we could build all
> policies as modular, and then if monolithic is requested, simply expand out
> the modules into policy.2x and file_context files.
>
I think this is a good idea. We should change to this. I was never a fan of
creating types in interfaces for all of the weird side effects and makes code
harder to understand.
> On 08/16/2013 07:03 AM, Dominick Grift wrote:
>> This keytab functionality should be re-evaluated because it does not make
>> sense in its current implementation
>>
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
>> a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index
>> eada65c..568c335 100644 --- a/policy/modules/services/ssh.te +++
>> b/policy/modules/services/ssh.te @@ -74,6 +74,9 @@ typealias ssh_home_t
>> alias { auditadm_home_ssh_t secadm_home_ssh_t };
>> userdom_user_home_content(ssh_home_t)
>>
>> +type sshd_keytab_t; +files_type(sshd_keytab_t) +
>> ############################## # # SSH client local policy @@ -224,6
>> +227,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
>> allow sshd_t self:key { search link write };
>>
>> +allow sshd_t sshd_keytab_t:file read_file_perms; +
>> manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>> manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
>> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) @@ -261,7
>> +266,8 @@ ')
>>
>> optional_policy(` - kerberos_keytab_template(sshd, sshd_t) +
>> kerberos_read_keytab(sshd_t) + kerberos_use(sshd_t) ')
>>
>> optional_policy(` _______________________________________________
>> refpolicy mailing list refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIbXQEACgkQrlYvE4MpobOLLACg58KPX0C0zSwVXLnBVkn36DM1
GvcAoNVw28+hCXmRfsAPsvlp8xLqCmPw
=DT/w
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
2013-08-16 11:03 [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) Dominick Grift
2013-08-21 13:19 ` Christopher J. PeBenito
@ 2013-09-23 18:28 ` Christopher J. PeBenito
1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-09-23 18:28 UTC (permalink / raw)
To: refpolicy
On 08/16/2013 07:03 AM, Dominick Grift wrote:
>
> This keytab functionality should be re-evaluated because it does not
> make sense in its current implementation
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index eada65c..568c335 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -74,6 +74,9 @@
> typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
> userdom_user_home_content(ssh_home_t)
>
> +type sshd_keytab_t;
> +files_type(sshd_keytab_t)
> +
> ##############################
> #
> # SSH client local policy
> @@ -224,6 +227,8 @@
> allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> allow sshd_t self:key { search link write };
>
> +allow sshd_t sshd_keytab_t:file read_file_perms;
> +
> manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
> @@ -261,7 +266,8 @@
> ')
>
> optional_policy(`
> - kerberos_keytab_template(sshd, sshd_t)
> + kerberos_read_keytab(sshd_t)
> + kerberos_use(sshd_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-09-23 18:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-16 11:03 [refpolicy] [PATCH] The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope) Dominick Grift
2013-08-21 13:19 ` Christopher J. PeBenito
2013-08-21 13:42 ` Dominick Grift
2013-08-26 13:49 ` Daniel J Walsh
2013-09-23 18:28 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.